Payment cards such as credit cards and debit cards are very widely used for all forms of financial transaction. The use of payment cards has evolved significantly with technological developments over recent years. Many payments are made at a retail location, typically with a physical transaction card interacting with a point of sale (POI) terminal to perform a transaction. These transaction cards may interact with a POI by swiping through a magnetic stripe reader, or for a “chip card” or “smart card” by direct contact with a smart card reader (under standard ISO/IEC 7816) or by contactless interaction through local short range wireless communication (under standard ISO/IEC 14443).
The present applicants have developed a proprietary system, known as MasterCard® Contactless, for performing contactless transactions. The present applicants have also appreciated that it would be possible to use a computing device such as a mobile telephone as a proxy for a payment card. They have also developed a mobile payment application, M/Chip Mobile, which can be downloaded to a mobile cellular telephone handset (hereafter “mobile phone”) to act as a proxy for a payment card using Near Field Communication (NFC) technology standards, which are built in to the majority of current mobile phones. NFC is a development upon RFID, and NFC-enabled devices are able to operate in the same manner as RFID devices—though an NFC-device is active rather than passive, as it is powered by the mobile phone battery rather than relying on inductive pickup from a reader device. Using M/Chip Mobile, a user can conduct tapping based-transactions with a proximity reader, as well as perform account management operations over an appropriate network interface (cellular, local wireless network) in an online banking interface with the user's account provider.
Other mobile payment applications and associated services exist, typically having a similar functionality and potentially incorporating similar solutions. Examples are Apple Pay (operating on iOS devices) and Google Wallet (operating on Android devices).
Mobile payment applications require access to sensitive data for their operation. There are known mechanisms for holding secure data and performing secure operations on a mobile device. One approach is to use a secure element (SE) in the mobile device. A conventional SE is a tamper-resistant physical device, generally physically and logically protected to allow operations and data taking place in it to be trusted by other system elements. Another approach is to use a trusted execution environment (TEE)—this is an isolated execution environment provided by the main processor of the mobile device adapted so that code and data loaded within it is confidential and integrity protected. The TEE operates in parallel to the main operating system of the mobile device, and certain aspects of payment processing are carried out in the TEE for added security. For Android devices, a software architecture termed host card emulation (HCE) has been introduced (from Android 4.4 onwards) to provide representations of electronic identity using software alone without the use of a secure element—this has been used to achieve transactions using near field communication (NFC) protocols.
Often, those solutions that do not make use of a secure element within the mobile device require the periodic supply of session keys from a secure cloud-based server owned by the card issuer. This can be problematic when carrying out a large number of transactions, as there are a limited number of session keys available.
Against this background, the present disclosure aims to provide a method of carrying out payment transactions securely using a mobile phone (or other mobile device), without the need for either a chip-based SE or the periodic supply of session keys using a cloud-based solution.